In recent months, the European Union has made strides in regulating the data protection space. Unfortunately, for many businesses, this has not made establishing a data protection strategy seem any less of a rollercoaster.
Whether it is the General Data Protection Regulation (GDPR), dubbed a landmark win for data security, or the long-debated transatlantic Privacy Shield agreement, businesses need to find a way to get to ensure compliance in a globally complex framework.
This means businesses need to prioritise compliance objectives – and fast. Of course, Privacy Shield is still under negotiation, so for organisations seeking to comply, it is still very much a guessing game.
Recently, the EU data protection supervisor expressed “serious concern” over its leniency with US tech giants sharing details with government officials. We can expect many more such statements.
>See also: The EU General Data Protection Regulation is now law: here's what you need to know
But when it comes to the GDPR, which has been confirmed and will come into force on 25th May 2018, there is little excuse in sitting on the fence.
Yet, according to a study earlier this year by Code42, half of enterprise IT decision makers say that the security measures they have today will not meet the GDPR.
So, how can businesses best implement the ‘carrot or stick’-style regulation?
Stick: non-compliance equals fines
The approach taken by the GDPR is definitely not subtle. It does not try to allure businesses to prevent data breaches by whispering sweet nothings into their ears.
Instead, the GDPR is a heavy-handed policy. Anyone who fails to comply will be fined, and these fines are in the big leagues.
Not notifying data subjects and authorities about a breach, and other serious infringements, can cost a business €20 million or up to 4% of its annual turnover, whichever is greater.
In this case, honesty is truly the best policy. After all, with exposés on data breaches costing corporations their public reputation, being ahead of the compliance curve is ultimately the best policy.
It is very likely that business will be affected at some point in time. So, in short, the choice is between complying, or paying up and complying. As such, it is hard to make the business case for paying attention to the GDPR any clearer.
Carrot: data protection as a state of mind
The good news is the GDPR is regulating a space that has long needed a stronger directive, given that its predecessor was created in an era before the internet was as widely adopted as it is today.
While the motivation for the EU is from the citizens’ perspective – to protect their privacy – it is also a welcomed move for businesses.
Cybercrime, and not having an adequate information security programme to safeguard against it, has become one of the key risks for businesses, so any and all action is essential.
The World Economic Forum agrees – earlier this year, the organisation listed cyber attacks as one of the greatest threats to businesses across 140 economies.
If you consider that TalkTalk’s data breach last year cost the company £42 million – and as a result profits for 2015 halved compared to last year – compliance can protect a business and its customers all at once.
An additional positive is that high-profile policy moves such as the GDPR have put cyber security firmly on the map for the wider public – so as much as it raises expectations for businesses, it also creates a security mindset for all.
It is this shift in thinking – from the boardroom down to knowledge workers – that is necessary to manage risk and reduce insider threat. According to Forrester, the latter still accounts for 70% of data breaches, so change needs to happen in any way possible.
Managing risk
In the words of Elon Musk, “Some people don't like change, but you need to embrace change if the alternative is disaster.” Even in the case of Brexit, British companies doing business in Europe will need to comply with data protection regulations, as well as potentially be subject to further information security policy.
Luckily, there are ways for organisations to prepare themselves before the regulation comes into action in 2018. It boils down to a multi-layered security stack.
In a modern corporation, information security needs to be as diverse and intuitive as its employees, covering everything from prevention to detection to restoration.
This includes preventative measures, such as a sturdy anti-virus software, encryption and malware detection, but also tools to handle a data breach when – not if – it occurs.
Remember, the GDPR does not penalise against breaches as such – it takes action against insufficient attention to protection and the failure to report breaches in a timely manner.
A significant aspect of safeguarding an organisation is to remember that it is porous, with employees often expecting to have access to work data anywhere, any time.
>See also: If you're still not prepared, don't panic: here's a GDPR 101
With 43% of all corporate data now held on endpoint devices, the scale of what needs to be secured is larger than ever. The key here is ensuring visibility without sacrificing productivity.
Employees should be educated against the insider threat, and shown the best and safest ways to use their endpoint devices. Ultimately, the way employees work is changing and security needs to work with then, not against them.
To protect the most sensitive data, this could mean limiting access per device – while employees can access their email from their smartphone or laptop, classified data repositories or systems might be limited to in-house devices or a secure corporate subnet.
It should also include continuous, modern endpoint backup on all devices in case ransomware hits or a data breach occurs.
This allows quick, real-time recovery and remediation, and gives security professionals visibility over what was breached and when – exactly the kind of investigative work the GDPR will expect of organisations. It all goes back to one thing: preparation.
Sourced from Rick Orloff, chief security officer, Code42
